Tuesday, May 31, 2011

The New York Times reports that the Obama administration is concerned that widely publicized data breaches in health care organizations will hamper its efforts to promote the adoption of electronic health records (EHR) technology.

Researchers at Carnegie Mellon University have shown that at least 30 people and organizations have access to the health data of a typical person with private insurance through an employer. - New York Times

The administration's likely response will be in the form of increased enforcement activity and more stringent fines for health care organizations that have failed to fully implement controls required by the HIPAA privacy and security rules.

The problem is compounded by the nature of the information itself, which needs to be accessible in order to provide effective and timely health care. As a result, health care information systems are typically designed to “fail open," to allow medical personnel less restricted access to patient data and enable necessary treatment to proceed.

To mitigate access control weaknesses without impeding patient care, health care organizations are looking to review access to electronic medical records using technology based on identity and access intelligence (IAI). IAI analyzes patterns of medical records access via stores of user identities, application and system rights, and user activity. By comparing what information was accessed, when, and by whom, with user privileges, IAI systems indicate whether access to patient data was valid or whether a policy exception (such as medical records snooping) has occurred.

Sunday, May 22, 2011

Recommendation of Report by Inspector General for Health and Human Services

More government audits of hospitals and increased enforcement the HIPAA Security Rule were the chief recommendation of the Office of the Inspector General (OIG) in his report on the Department of Health and Human Services' Office for Civil Rights (HHS/OCR).

According to the OIG report, HHS/OCR oversight and enforcement actions were insufficient to ensure hospitals effectively implement the HIPAA Security Rule. As a result, the government had limited assurance that controls were in place and operating as intended to protect electronic protected health information (ePHI), thereby leaving ePHI vulnerable to attack and compromise.

"Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries’ personal data and performed unauthorized acts without the hospitals’ knowledge.." - Daniel R. Levinson, Inspector General of HHS

The report is based on seven audits of hospitals in California, Georgia, Illinois, Massachusetts, Missouri, New York, and Texas. These audits focused primarily on the hospitals’ implementation of the HIPAA Security Rule, including the policies and procedures developed and implemented for the security measures to protect the confidentiality, integrity, and availability of ePHI.

Download a white paper on medical records privacy breach detection as a service. Learn how an on-demand, pay-per-use service can cost effectively implement the HIPAA Security Rule - with no hardware and no on-site software.

Audit Found 151 High Impact Vulnerabilities
The OIG's audits identified 151 vulnerabilities, of which 124 were determined to be high impact. Where high impact means they could significantly violate, harm, or impede the hospitals mission, reputation, and interest, or result in human death or serious injury.

While each of the hospitals had implemented some controls to protect ePHI from improper alteration or destruction, none had sufficiently implemented the administrative, technical, and physical safeguard provisions of the Security Rule.

Thursday, May 12, 2011

This month's cover story in "For the Record" is a good overview of the IT security issues healthcare organizations face as they transition from paper-based protected health information (PHI) to electronic protected health information (PHI).

Traditional approaches to detecting inappropriate access to electronic health records requires dedicated IT staff and burdens privacy and compliance officers with huge volumes of activity logs to investigate. The problem lies in static rules and scenarios that yield too many false-positives and false-negatives.

For example, traditional approaches cannot differentiate between appropriate access by a nurse looking at the records of a current patient and inappropriate access when the same nurse looks at the records of the same patient after the patient has been transferred to a different unit where the patient is under the care of a different nurse.

Only a combination of privacy training and a reliable medical snooping detection capability will deter unauthorized access by employees.

Download a white paper on medical records privacy breach detection as a service. Learn how an on-demand, pay-per-use service can cost effectively address the HIPAA/HITECH privacy and security rules - with no hardware and no on-site software.

"For the Record" has a good overview of the IT security issues healthcare organizations face as they transition from paper-based protected health information (PHI) to electronic protected health information (PHI).

Traditional approaches to detecting inappropriate access to electronic health records requires dedicated IT staff and burdens privacy and compliance officers with huge volumes of activity logs to investigate.
The problem lies in static rules and scenarios that yield too many false-positives and false-negatives.

For example, traditional approaches cannot differentiate between appropriate access by a nurse looking at the records of a current patient and inappropriate access when the same nurse looks at the records of the same patient after the patient has been transferred to a different unit where the patient is under the care of a different nurse.

Only a combination of privacy training and a reliable medical snooping detection capability will deter unauthorized access by employees.

Download a white paper on medical records privacy breach detection as a service. Learn how an on-demand, pay-per-use service can cost effectively address the HIPAA/HITECH privacy and security rules - with no hardware and no on-site software.

Wednesday, May 11, 2011

Organizations implementing identity and access management (IAM) solutions are looking for a shorter path to business value and improved return on investment (ROI) from their IAM implementation.

Identity and Access Intelligence (IAI) is an emerging solution that was recognized by Gartner in 2010. But what is IAI and how can it dramatically improve your business? A new IAI article in Enterprise System Journal provides a clear overview every manager should read.

"Identity and access intelligence (IAI) solutions mine identity, rights, and activity data for intelligence that is useful to the operation of the business, as well as to the deployment of an IAM system. It can accelerate IAM, and once IAM is in production, serve as an analytical layer that augments IAM." - Article in Enterprise System Journal

IAI uses an analytical process to discover user rights and activity patterns hidden in directory, application, system, and network data. The output of the analysis provides insight into user behavior patterns delivered in a format that business managers can easily understand and use to improve decisions about business processes, asset utilization, and security.

Tuesday, May 10, 2011

The Security and Exchange Commission (SEC) just published a study which concludes that the controversial Section 404(b) of the Sarbanes-Oxley Act should continue to be required for companies with a market capitalization between $75 million and $250 million.

The study is the result of a Dodd-Frank act mandate that the SEC consider exempting certain types of companies from Section 404(b) of the Sarbanes-Oxley Act

"The staff did not find any specific evidence that such potential savings [from eliminating the auditor attestation provisions of Section 404(b)] would justify the loss of investor protections and benefits to issuers." - Report by ACO of the SEC

On the issue of the 404(b) requirement's influence on companies going public on US markets, the report admits that "the research regarding the reasons for listing decisions is inconclusive" but goes on to say that "the evidence does not suggest that granting an exemption ... would, by itself, encourage companies in the United States or abroad to list their IPOs in the United States."

Cut the time and expense of user access compliance. See how Identity and Access Intelligence as a service assures compliance - with no hardware and no on-site software.

Monday, May 9, 2011

32 employees at two Minneapolis hospitals were fired for violating the federal patient privacy rules. The employees are accused of snooping on the electronic medical records (EMR) of 12 patients who were treated for last March for an overdose of a designer drug named "2C-E".

"We take our obligation to protect patient privacy very seriously. Anything short of a zero tolerance approach to this issue would be inadequate." - David Kanihan, Allina Director of Marketing and Communications

The employees were discovered as part of an audit of who accessed high-profile patients' medical records. The hospital's investigation determined that the employees had no legitimate patient care reasons to look at the information.

Download a white paper on medical records privacy breach detection as a service. Learn how an on-demand, pay-per-use service can cost effectively address the HIPAA/HITECH privacy and security rules - with no hardware and no on-site software.

Saturday, May 7, 2011

"Fines are only part of the penalty [for violating healthcare regulations]. It’s the bad PR and bad news about the practice and the physician’s procedures when patient data is lost or stolen that will really hurt the practice.” - John Brewer, founder and owner of MedTech USA, LLC

Download a white paper on medical records privacy breach detection as a service. Learn how an on-demand, pay-per-use service can cost effectively address the HIPAA/HITECH privacy and security rules - with no hardware and no on-site software.

Wednesday, May 4, 2011

The receptionist at a Chicago healthcare practice was arrested for identity theft and for being the "organizer of a continuing financial crimes enterprise". The receptionist's accomplice withdrew cash from a local bank using a fake ID that had the accomplice's picture but the patient’s personal information.

The bank has reimbursed each of the 26 known victims, but police believe there may be more victims and the amount of the fraud may exceed the $125,000 identified to date.

The investigation began when several women in the same geographic area reported bank fraud. The police found that a commonality among the victims was their healthcare provider.

Learn how an on-demand, pay-per-use patient privacy breach detection service can cost effectively catch violations of HIPAA/HITECH privacy and security rules - with no hardware and no on-site software.

The owner of healthcare practice was alerted by the Chicago Police Department Financial Crimes Division that it was investigating a matter involving one of its employees.

”We take information protection very seriously and will continue to work to ensure that all appropriate measures are taken to protect our patients." - Healthcare practices' lawyer

Patient privacy was highlighted in a recent interview by Farzad Mostashari, the new head of the Office of the National Coordinator for Health IT (ONC).

" We need to ensure and maintain the public's trust in health information systems ... to have the confidence that the information is secure where it's kept, where it's moving, and also that their privacy rights are protected." - Farzad Mostashari, head of ONC

Mostashari also emphasized increased enforcement of the HIPAA privacy rule and security rule by the Department of Health and Human Services' Office for Civil Rights (HHS/OCR). "OCR recently imposed such civil monetary penalties for entities that violated [HIPAA], and I think we're going to see continued cases like that."

Download a white paper on medical records privacy breach detection as a service. Learn how an on-demand, pay-per-use service can cost effectively address the HIPAA/HITECH privacy and security rules - with no hardware and no on-site software.

Sunday, May 1, 2011

Regulatory compliance topped the list of business issues according to a recent survey by ISACA, a global organization for information security, audit, control, and governance, professionals.

Issues within regulatory compliance were managing and sharing personally identifiable information (PII), the costs associated with required controls, compliance process management, and the segregation of duties and privileged access monitoring.

"Keeping up with the ever evolving legislative and regulatory requirements is time consuming and expensive as IT must design and maintain systems." - ISACA Survey Report

The top seven business issues identified by the survey are

Regulatory compliance

Enterprise-based IT management and IT governance

Information security management

Disaster recovery/business continuity

Challenges of managing IT risks

Vulnerability management

Continuous process improvement and business agility

Cut the time and expense of user access compliance. See how Identity and Access Intelligence as a service addresses user access compliance - with no hardware and no on-site software.

The results are based on a survey of 46,101 ISACA members and 2,405 responses (6.9 % response rate). The survey was conducted between 10/12/2010 and 11/19/2010.

About ISACA
ISACA is global organization for information information security, audit, control, and governance, professionals. The ISACA information system auditing and control standards are followed by practitioners worldwide.